Restricting Access by URL

The tokens generated from most parameters are not specific to a particular folder or asset. Therefore, those tokens may potentially be reused to authenticate content stored in various folders. The Allow URL parameter (i.e., ec_url_allow), on the other hand, tailors tokens to a particular asset or path. This parameter restricts access to requests whose URLs start with a specific relative path.

Query strings are ignored by this parameter.

The comparison between a request and this parameter's value starts immediately after the request's hostname.

Key information:

This starting point applies to both CDN and edge CNAME URLs.
Both CDN and edge CNAME URLs are case-sensitive. Please make sure to use the proper case when linking to CDN content or setting a value for the ec_url_allow parameter.
This parameter can also validate access to multiple folders or assets. Separate each desired path with a comma.
Example:
/000001/Folder1,/000001/Folder2/SubfolderA,/000001/Folder3/index.htm
- Do not add spaces when specifying multiple assets or folders. Relative paths that are preceded by a space are considered invalid entries that will be ignored.

Basic Example (Edge CNAME URL)

All of the following requests satisfy this requirement when ec_url_allow is set to "/marketing:"

http://cdn.mydomain.com/marketing.htm
http://cdn.mydomain.com/marketing/images/presentation01.jpg
http://cdn.mydomain.com/marketingmaterials/images/marketing.htm

Alternatively, only the first request will satisfy this security requirement when ec_url_allow is set to "/marketing.htm."

Sample URLs

Sample URLs are provided below. Bold, blue font indicates the portion of the URL that will be compared against the relative path defined for this parameter.

Type	Sample URL
CDN URL	http://can.0001.transactcdn.com/800001/MyServer/marketing.htm
Edge CNAME URL	http://cdn.mydomain.com/marketing.htm

Sample Scenarios

The following sample scenarios demonstrate how different ec_url_allow values are handled.

Scenario #1

This scenario is based on the following request:

Request	Description
URL Type	CDN URL
Origin Type	CDN Storage
URL	http://can.0001.transactcdn.com/000001/Secure/index.html

All of the following sample ec_url_allow values authorize the above request.

ec_url_allow Value	Additional Information
/000001	Authorizes all CDN URL requests to CDN storage.
/000001/Secure/	Authorizes CDN URL requests to the Secure folder on CDN storage.
/000001/Secure/index.html	Only authorizes this specific CDN URL request.

Scenario #2

This scenario is based on the following request:

Request	Description
URL Type	CDN URL
Origin Type	Customer Origin
URL	http://can.0001.transactcdn.com/800001/MyServer/Secure/index.html

All of the following sample ec_url_allow values authorize the above request.

ec_url_allow Value	Additional Information
/800001	Authorizes CDN URL requests to any customer origin server.
/800001/MyServer/	Authorizes all CDN URL requests to a customer origin server called "MyServer."
/800001/MyServer/Secure/index.html	Only authorizes this specific CDN URL request.

Scenario #3

This scenario is based on the following request:

Request	Description
URL Type	Edge CNAME URL
Origin Type	Customer Origin
URL	http://secure.server.com/marketing/index.html The hostname "secure.server.com" leverages an edge CNAME configuration that points to: can.0001.transactcdn.com/800001/MyServer/Secure

Request

Description

URL Type

Edge CNAME URL

Origin Type

Customer Origin

URL

http://secure.server.com/marketing/index.html

The hostname "secure.server.com" leverages an edge CNAME configuration that points to:

can.0001.transactcdn.com/800001/MyServer/Secure

All of the following sample ec_url_allow values authorize the above request.

ec_url_allow Value	Additional Information
/	Authorizes all requests regardless of URL or origin type. The relative path for all requests start with a "/."
/marketing	Authorizes all edge CNAME URL requests to a folder called "marketing."
/marketing/index.html	Authorizes requests that meet the following criteria: URL Type: Edge CNAME URL Relative Path: /marketing File Name: index.html

ec_url_allow Value

Additional Information

Authorizes all requests regardless of URL or origin type. The relative path for all requests start with a "/."

/marketing

Authorizes all edge CNAME URL requests to a folder called "marketing."

/marketing/index.html

Authorizes requests that meet the following criteria:

URL Type: Edge CNAME URL
Relative Path: /marketing
File Name: index.html

Additional Sample Scenarios

The sample requests listed in this section leverage a token that contains the following requirement:

ec_url_allow=/Folder1/movie1,/Folder2

The following table describes how sample requests will be handled for this scenario.

Sample Request	Authorized?
http://secure.server.com/Folder1/movie1.flv	Allowed
http://secure.server.com/Folder1/movie1.mpg	Allowed
http://secure.server.com/Folder1/movie1/index.htm	Allowed
http://secure.server.com/Folder2/film.mpg	Allowed
http://secure.server.com/Folder1/movie2.flv	Denied
http://secure.server.com/Folder3	Denied

The "secure.server.com" hostname points to can.0001.transactcdn.com/800001/MyServer/Secure.